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SLED-NY-2142524-FF Serial 1 


FD-1057 (Rev. 5-8-10) 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 


Title: (U) Spear-phishing SEC Scam Date: 03/13/2017 





From: NEW YORK 
NY-C1 
b6 
b7c 


Case ID #: 318D-NY-2142524-FF (U) Spear-phishing SEC Scam 





Synopsis: (U) To open an Asset Forfeiture subfile. 


Details: 


An article on the FORTUNE website reported a cyber spear-fishing 
scam in which emails, purportedly from the Securities and Exchange 
Commission, were sent to companies in an effort to obtain inside 
information. The messages specifically targeted individuals in 
positions responsible for SEC filings. When individuals clicked on 
instructions within a MICROSOFT Word file in the emails, the attackers 
were granted access to internal networks. FORTUNE reported that the 
spear-phishing attack was discovered in February by a company called 
FIREEYE, which was able to intercept some of the emails. FIREEYE 
believed the attackers to be an Eastern European crime syndicate 
attempting to achieve financial gain by trading based on inside 


information. 





This subfile will serve as a repository for forfeiture-related 


materials. 


++ 


UNCLASSIFIED 


318D-NY-2142524 Serial 1 


UNCLASSIFIED 


Title: (U) 2017 03 08 Opening 


Re: 











318D-NY-2142524, 03/08/2017 





























Attorney's Office for the Eastern District of New York (EDNY) concurred 
with the opening of the captioned investigation. On March 08, 2017, 
Supervisory Special Agent of the Complex Financia] 








Crimes Unit concurred with the opening of the captioned investigation. 





Initial investigative steps will include identifying witnesses and 





potential victims; coordinating with the SEC; obtaining and reviewing 











suspect emails; reviewing publicly available information. 


The captioned investigation will be opened and assigned to Special 


Agent (sap New York Squad C-1. 


++ 


UNCLASSIFIED 


2 


b6 
b7C 


b6 
b7C 


Fake SEC Phishing Emails Target Execs for Inside information | Fortune.com Page | of 13 


= FORTUNE | Tech の SEARCISUBSCRIBE 


Most Powerful Women 
Trump to Meet With Laurene Powell Jobs, Widow of Apple Co-Founder Steve Jobs 


Wall Street 
Wall Street Spent $2 Billion Trying to Influence the 2016 Election 





Market Intelligence 
Here’s Why Snap Shares Are Looking Up Again 


World's Most Admired Companies 
Amazon Is About to Open Bookstore Number 10 
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Fake SEC Emails Target Execs for Inside information 

Jeff John Roberts [| 
Mar 07, 2017 


Cyber scammers are using a new trick to get confidential corporate information: They are sending spoofed emails, 
purporting to be from the Security and Exchange Commission, and aiming them at lawyers, compliance managers, and 
other company officials who file documents with the SEC. 


http://fortune.com/2017/03/07/sec-phishing/ ^/@/ の ロフ 


Fake SEC Phishing Emails Target Execs for Inside information | Fortune.com Page 2 of 13 


The security company FireEye (FEYE, +0,52%) discovered the ruse in late February, when it intercepted suspicious 
emails targeted at companies in sectors ranging from transportation to banking to retail. FireEye, which set out its 
findings in a blog post, believes the scammers are likely to be an Eastern European criminal syndicate looking to make 
money by trading on inside information. 


In some cases, FireEye says corporate executives did click on a fake Microsoft Word file included with the email. Here's 
=sckQRshUNE théemail, which contains little text and appears to come from EDGAR, which is the Sameanche SRMsBE 
filing service: 


Tue 2212012 

EDGAR <filingstvsec.gov> 

= Important message for IIA 
ro ercer 


_ Attachments important Changes to Ferrol K dor i2 tae 





Important changes on Form 10-K and Instructions 





Those who clicked on instructions in the Word document granted the attackers access to internal corporate networks, 
though FireEye says, in the case of its customers, it was able to contain and evict the scammers within hours. (In many 
cases, the company says it was able to intercept them altogether). 


The reach of the scam, however, could be much broader than the activity detected by FireEye. 


The email attacks in question, known as "spear-phishing" are effective because they are addressed to specific people 
and appear to be from a legitimate source. In the case of the fake SEC emails, the targets included corporate officials 
with titles like SEC Reporting Manager and Senior Legal Specialist—the very people, in other words, responsible for 
securities filings, and who could expect to receive an email from the SEC. 


Get Data Sheet, Fortune's technology newsletter. 


John Miller, a director of threat intelligence at FireEye, described the attackers as among "the most sophisticated 
financial actors" and said their methods were similar to hackers who targeted ATM machines and other parts of the 
banking system. He also warned the hacking tools they sought to install were particularly insidious. 


“It's the Swiss army knife of malware. It lets you do whatever you want to with the compromised system," Miller said. 


In response to whether it was familiar with the recent cyber-phishing campaign, a spokesperson for the SEC declined 
comment. 


http://fortune.com/2017/03/07/sec-phishing/ 37&/2017 
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= FORTUNE | tex の SEARCISUBSCRIBE 


SPONSORED STORIES 


Recommended by 





How To Watch 600+ Hours of 
Quality, Ad-Free Documentaries 
Los Angeles Times 





China is developing a hypersonic 
space plane that makes the 
Space Shuttle look primitive 
Digital Trends 


Related Content 


PointCloud 
John Deere Floats Drones as the Next Big Tool 
for Construction Workers 








PointCloud 

Here’s Why HPE Just Paid $1 Billion for A 
Nimble Storage eh r > 
PointCloud 
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= FORTUNE | tex 
SPONSORED STORIES 









a 
Gigi Hadid's Go-To Shoe Is 5 Shirt Mistakes You Need To The F-15 Is No Match For This 
Surprisingly Affordable Stop Making Plane 
WhoWhatWear Proper Cloth theBrofessional net 





Librarians Love It - The One The hubless, carbon-fiber Top 5 Ancestry Tests that Will 


Website Book Lovers Need to Cyclotron bike looks straight out Teach You About Your Family's 
Know of 'Tron' History 
The Book Insider Digital Trends www.top10bestdnatesting.com 


Next Up 


Tech 
Trump to Meet With Laurene Powell Jobs, Widow of Apple Co-Founder Steve Jobs 


Pivotal Claims Big Growth for Its Cloud ron 





SEARCISUBSCRIBE 





We Can Guess Your Education 
Level With This Simple Quiz 
Definition 





Retail Shoppers Are Moving to 
Virtual Reality [White Paper] 


Cognizant 


Laurene Powell Jobs, a prominent Silicon Valley philanthropist and widow of Apple AAPL co-founder Steve Jobs, was scheduled to 


meet with President Donald Trump on Wednesday. Powell Jobs, who was 


hittn://fortune cam/?017/03/07/sec-nhichina/ 
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FORTUNE 


= FORTUNE | Ten の SEARCISUBSCRIBE 


Next Up 


Tech 
Trump to Meet With Laurene Powell Jobs, Widow of Apple 


Co-Founder Steve Jobs 


Laurene Powell Jobs, a prominent Silicon Valley philanthropist 
and widow of Apple AAPL co-founder Steve Jobs, was scheduled 
to meet with President Donald Trump on Wednesday. Powell 
Jobs, who was 


FORTUNE 


More Coverage 


Cybersecurity 
U.S. Intel and Law Enforcement Agencies Were Aware of CIA Breach Since Last Year 


U.S. intelligence and law enforcement officials said on Wednesday that they have been aware since the end of last year of a 
security breach at the CIA that led to anti-secrecy group WikiLeaks 


RTUNE 
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Market Intelligence 


Here’s Why Snap Shares Are Looking Up Again 


Shares of Snap Inc rebounded on Wednesday following a steep selloff while an initial rush to short sell the stock appeared to be 
slowing. The owner of the Snapchat messaging app had fallen sharply 


FORTU N ト の SEARCISUBSCRIBE 


World's Most Admired Companies : 
Amazon Is About to Open Bookstore Number 10 


It was a big deal when Amazon opened a physical bookstore in 2015, symbolizing how the company’s retail ambitious extend 
beyond its online operations. Today, the move looks much more than 


FORTUNE 


More Coverage 


Cybersecurity 
U.S. Intel and Law Enforcement Agencies Were Aware of 


CIA Breach Since Last Year 


U.S. intelligence and law enforcement officials said on 
Wednesday that they have been aware since the end of last year 
of a security breach at the CIA that led to anti-secrecy group 
WikiLeaks 


FORTUNE 
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Market Intelligence 


Here’s Why Snap Shares Are Looking Up Again 


Shares of Snap Inc rebounded on Wednesday following a steep selloff while an initial rush to short sell the stock appeared to be 
slowing. The owner of the Snapchat messaging app had fallen sharply 


FORTUNE 


World's Most Admired Companies 
Amazon Is About to Open Bookstore Number 10 


It was a big deal when Amazon opened a physical bookstore in 2015, symbolizing how the company’s retail ambitious extend 
beyond its online operations. Today, the move looks much more than 


FORTUNE 


Most Popular Stories 


1 
Here's What Hillary Clinton Wants You to Remember This Intemational Women’s Day 


Here’s What Hillary Clinton Wants You to Remember This International Women’s Day 


These 3 Powerful Groups Are Slamming the GOP’s Obamacare Replacement Plan 


http://fortune.com/2017/03/07/sec-nhishing/ o 
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These 3 Powerful Groups Are Slamming the GOP’s Obamacare Replacement Plan 


3 
You’re Not Cool Enough To Get the Secret Version of Tinder 


Youre PRF BNE» Tt the Secret Version of Tinder 
4 
Starbucks Is Now Offering Whiskey Barrel-Aged Coffee 


Starbucks 1s Now Offering Whiskey Barrel-Aged Coffee 


5 
There’s Now a Statue of a Fearless Little Girl Staring Down Wall Street's Charging Bull 


There’s Now a Statue of a Fearless Little Girl Staring Down Wall Street’s Charging Bull 
_Sponsored Financial Content 


dianomi 





50 Billion of These Will Be In Use by 2020 
Banyan Hill 


PIO 


DOUBLE asu 


4 Walker 





Before Applying For A Credit Card, Check If You Pre-Qualify 
Citi 
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J.P Morgan 


= FORTUNE | Te Asset [ Man age m ent の SEARCISUBSCRIBE 





3 Ways to Help Improve Retirement Outcomes 
J.P. Morgan Funds 





an = 
Hedging inflation w/real estate: How we judge quality & why it matters 
FlexShares ETFs 


More from FORTUNE.com 


Finance 


Wall Street Spent $2 Billion Trying to Influence the 2016 


Election 


Wall Street has really thrown its money around Washington the past couple of years. 
Banks, trade associations, and other related financial interests spent $2 billion on trying 
to influence 


FORTUNE 
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Finance 
Pic も 0 UNF acdathe Managers of Bill Gross’ Former Bond Fund 2 SEARCSUBSCRIBE 


Pacific Investment Management Co (Pimco) is replacing the full slate of managers on its Total Return Active Exchange-Traded 
Fund and changing its name, a spokeswoman for the fund management company 


FORTUNE 


MPW 
Here’s Why the Defiant Girl Statue in Front of the Wall Street Bull Is So Important 


Between 4 a.m. and 6 a.m. on Tuesday, lower Manhattan got its newest resident: a 50-inch defiant little girl, cast in bronze, 
standing opposite Wall Streets famous charging bull. State ` 


FORTUNE 


Finance 
Snap CEO Evan Spiegel Will Get $822 Million for Taking the Company Public 


Snapchat's then-private owners really wanted CEO Evan Spiegel to take their photo-based social media company public. In mid- 
2015, Snap’s board of director's agreed to award 
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MPW 
Watch Live: House Dems Hold Event Honoring International Women’s Day 


Democrats including House Minority Leader Nancy Pelosi and the Democratic Women’s Working Group will hold a press event for 
International Women’s Day on the steps of the U.S. Capitol 


FORTUNE 


Leadership 


American Healthcare Act Woes Will Hamper the Rest of 
Trump’s Agenda 


The Obamacare replacement plan premiered by House Republican leaders Tuesday 
met with an ugly, bruising reception. Ultraconservative House members tore into the 
proposal as a warmed-over version of 


ORTUNE 


Tech 
The WikiLeaks CIA Reveal Has Some Tech Firms Scrambling for Fixes 


httn://fortune com/2017/03/07 /cee-nhichina/ NiainntA 
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Tech companies must rapidly step up information sharing to protect users from prying eyes, a security software executive said on 
Wednesday after WikiLeaks released a trove of documents 


FORTUNE 


= FORTUNE | Tech の SEARCISUBSCRIBE 


Leadership 
China Gives Preliminary Approval For 38 New Trump Trademarks 


China has given preliminary approval for 38 new Trump trademarks, opening opportunities for the president and his family to 
develop branded businesses in the country, including hotels, golf 


FORTUNE 


MPW ` 
House Democratic Women Are Staging a Walkout for ‘Day Without a Woman * 


Democratic congresswomen are staging a walkout Wednesday in support of “A Day Without a Woman.” Rep. Lois Frankel (D-Fla.), 
the chairwoman of the Democratic Women’s Working Group, 


FORTUNE 
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Photography 
Celebrating Fortune’s First Photographer: Margaret Bourke- White 


The history of this over 85-year-old magazine has been documented extensively. Fortune came at a time when the press largely 
ignored business and when the U.S. was in the beginning of the 


ORTUNE © 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 


Title: (U) Access Request Letter Date: 03/13/2017 





From: NEW YORK 
NY-C1 


b6 
pp Y b7C 
b7E 


Case ID #: 318D-NY-2142524 (U) Spear-phishing SEC Scam 





Synopsis: (U) To document an SEC access request. 
Full Investigation Initiated: 03/08/2017 


Enclosure(s): Enclosed are the following items: 


di, (U) SEC Access Request Letter 
28 (U) SEC Access Granted Letter 
Details: 


On March 09, 2017, the writer emailed an "access request" letter to 


at the SECURITIES AND EXCHANGE COMMISSION (SEC). The 
letter, which was addressed to Associate Regional Directo 。 | b6 
served to request access to the investigative and other non- bic 
public files of the SEC. 
On March 10, 2017, the writer received an email frof Jat the 
SEC, which contained a letter fro ranting the requested b6 
access. The letter identifie as the initial b7C 











SEC point of contact. 


++ 


UNCLASSIFIED 


U.S. Department of Justice 


Federal Bureau of Investigation 





26 Federal Plaza 
New York, NY 10278 
March 9, 2017 
Mr 
Associate Regional Director 
U.S. Securities and Exchange Commission 
New York Regional Office 
3 World Financial Center b6 
Suite 400 b7C 


New York, NY 10281 


Re: Case NY-09645 


We request access to the investigative and other non-public files of the U.S. Securities 
and Exchange Commission ("Commission") related to the above-captioned matter. This request 
is made in connection with an ongoing lawful investigation or official proceeding inquiring into 
a violation of, or failure to comply with, a criminal or civil statute or regulation, rule or order 
issued pursuant thereto, being conducted by The Federal Bureau of Investigation. 


We understand that the files in this matter contain "financial records" of "customers," as 
those terms are defined in the Right to Financial Privacy Act of 1978 [12 U.S.C. §§3401-22]. 
We have reason to believe that that information is relevant to our investigation. 


We will establish and maintain such safeguards as are necessary and appropriate to 
protect the confidentiality of files to which access is granted and information derived therefrom. 
The files and information may, however, be used for the purpose of our investigation and/or 
proceeding and any resulting proceedings. They also may be transferred to criminal law 
enforcement authorities and self-regulatory organizations subject to our oversight. We shall 
notify you of any such transfer and use our best efforts to obtain appropriate assurances of _ 
confidentiality. 


Other than as set forth in the preceding paragraph, we will: 


e make no public use of these files or information without prior approval of your staff; 


e notify you of any legally enforceable demand for the files or information prior to 
complying with the demand, and assert such legal exemptions or privileges on your 
behalf as you may request; and 


e not grant any other demand or request for the files or information without prior notice 
to and lack of objection by your staff. 


We recognize that until this matter has been closed, the Commission continues to have an 
interest and will take further investigatory or other steps as it considers necessary in the 


discharge of its duties and responsibilities. 


Should you have any questions, please contact: 


Special Agen 
Federal Bureau of Investigation 
New York Field Office 
26 Federal Plaza ae 
New > New York 10278 27 
Sincerely, 
Michael C. McGarrity 
Special Agent in Charge 
Federal Bureau of Investigation 
B 
b6 
b7C 


Acting Supervisory Special Agent 
Federal Bureau of Investigation 


| | (NY) (FBD 


From: b6 
Sent: Friday, March 10, 2017 11:52 AM PIC 
To: (NY) (FBD 

Cc: 

Subject: Access Request NY-09645 

Attachments: Access Request 2017-6473 (MNY-09645).pdf 


Please see attached. 


From: 


Sent: Friday, March 10, 2017 11:10 AM 
Tol ] be 


Subject: b7C 


H 


Can you please process fof | 


Thanks! 


UNITED STATES 
SECURITIES AND EXCHANGE COMMISSION 


NEW YORK REGIONAL OFFICE 
BROOKFIELD PLACE, 200 VESEY STREET, TELEPHONE: (212) 336-0181 
SUITE 400 FACSIMILE: (212) 336-1323 
NEW YORK, NY 10281-1022 


WRITER’S DIRECT DIAL LINE 





March 10, 2017 


Michael C. McGarrity 

Special Agent in Charge 
Federal Bureau of Investigation 
New York Field Office 

26 Federal Plaza 

New York, NY 10278 


Re: Certain Spoofed Emails (MNY-09645) 


Dear Mr. McGarrity: 


Your request, by letter dated March 9, 2017, for access to Commission files has been 
granted. In granting access, the Commission has relied upon your assurances that, except as set 
forth in your letter, your office will: 


Provide such safeguards as are necessary and appropriate to protect the confidentiality of 
these files; 


Make no public use of these files or information without prior approval of our staff; 


Notify us of any legally enforceable demand for the files or information prior to complying 
with the demand, and assert such legal exemptions or privileges on our behalf as we may 
request; and 


Not grant any other demand or request for the files or information without prior notice or 
over our objection. 


The files in this matter may contain “financial records” of “customers” of “financial 
institutions,” as those terms are defined in the Right to Financial Privacy Act of 1978 [12 U.S.C. 
3401-22]. In the event that another federal agency should seek information from those files from 
your agency, we urge you to have the federal agency contact us before you provide such 
information. 


Michael C. McGarrity 
March 10, 2017 
Page 2 


The Commission makes no recommendation with respect to the investigation or 
prosecution by your office. In addition, until this matter is closed, the Commission continues to 
have an interest and will take such further investigatory or other steps as it considers necessary in 
the discharge of its duties and responsibilities. 


The files to which access has been granted are being retained by the New York Regional 
Office of the Commission. Your representative should contac ee 
make arrangements to review the files. I would also appreciate it if you would inform that person 
in the event that your agency institutes public proceedings based upon information that you obtain 
as aresult of this grant of access. b6 
b7C 
Very truly yours 


Senior Associate Regional Director 
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UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 





Title: (U) FIREEYE Report Date: 03/17/2017 

















From: NEW YORK 
NY-C1 


b7E 


Case ID #: 318D-NY-2142524 (U) Spear-phishing SEC Scam 





Synopsis: (U) To document a report obtained from FIREEYE regarding 
their investigation into the SEC spear-phishing scam. 





Full Investigation Initiated: 03/08/2017 


Enclosure(s): Enclosed are the following items: 


1. (U) FIREEYE SEC Spear-phishing Report 
Des (U) FIREEYE Indicators 
Details: 


On March 15, 2017, with the assistance of FIREEYE contacts 


and 
b6 
a] = writer obtained the FIREEYE b7C 


threat intelligence report associated with the FORTUNE articl b7E 








The report, which was dated March 01, 2017, contained information 
presented in the FORTUNE article and indicated that FIREEYE had high 
confidence that an entity called FIN7 was connected to the 
attack. The report also stated that FIREEYE had identified 11 





targeted organizations within the United States and, more 


specifically, within the financial services, transportation, retail, 











education, IT services, and electronics sectors. 


UNCLASSIFIED 


Title: (U 


Re: 318D-NY-2142524, 








) FIRE 











EYE 























had an int 


ternational 


318D-NY-2142524 Serial 3 


UNCLASSIFIED 


Report 


presence. 








identify 





other fraud types. 








the goal of the attackers, 


03/17/2017 


FIREEYE'S report noted that many of the targeted organizations al 


LSO 





finitivel 





While the report did not del 


Y 





The FIREEYE report was attached as a 1A package. 
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it did speculate that those 


involved might be pursuing securities fraud, investment abuse, or 
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FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 





Title: (U) FIREEYE Conference Call Date: 04/04/2017 














From: NEW YORK 
NY-C1 








b7C 
b7E 

Case ID #: 318D-NY-2142524 (U) Spear-phishing SEC Scam 

Synopsis: (U) To document a conference call with FIREEYE personnel. 

Full Investigation Initiated: 03/08/2017 

Enclosure(s): Enclosed are the following items: 

dive (U) FIREEYE Call Notes 

Details: 

On March 23, 2017 at 2:00 p.m., Special Agents[ þra 
[participated in a conference call with 
present for the conversation were nf ] 


from the United States Attorney's Office for the Eastern District of 





New York, ang| rom the Securities and Exchange Commission 


(SEC). FIREEYE provided the following information: 








Eleven companies were targeted in the scam. The eleven companies 
were all targeted in 2017. Two or three individuals at the companies 
clicked the link in the MICROSOFT Word document. Nothing suggested 
the intruders successfully accessed inside information. The intrusion 


was caught early in its life-cycle. 
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UNCLASSIFIED 





Title: (U) FIREEYE Conference Call 
Re: 318D-NY-2142524, 04/04/2017 


























The spear-phishing emails were sent from a compromised GODADDY 








account. FIREEYE believed the attack was linked to Eastern European 





cyber-criminals, specifically FTN7. The spear-phishing attack 








utilized CARBANAK malware. CARBANAK was previously used by Eastern 
European groups. Historically, CARBANAK was called ARBANAK by Eastern 





European companies. The oldest attacks associated with CARBANAK 





traced back to 2013. These attacks involved activity in areas such as 





Russia. The malware was shared, and had an underground 
distribution. There was a nexus between Eastern European criminal 
groups and CARBANAK. 


The spear-phishing emails sent to the targeted companies were 
addressed to specific personnel. The targeted individuals were 
publicly associated with SEC filings. The spoof emails were made to 
look like they were from EDGAR. The emails were spoofed to appear to 
be sent from the email address "filings@sec.gov". In a couple of 
customer cases, the intruders pulled down back doors. The intruders 
also pulled down CARBANAK and another tool. DNS malware was used 
during the attacks. 


FIREEYE found older attacks they believed were linked to the 2017 
attacks. One similar attack was in the summer of 2015, and two 
similar attacks were in the summer of 2016. These attacks also 
involved DNS malware and were related to SEC filings. 


b5 
b7E 
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Title: (U) FIREEYE Conference Call 
Re: 318D-NY-2142524, 04/04/2017 



































FIREEYE was unable to provide a list of the targeted companies due 





to their policies and agreements. FIREEYE agreed to contact 


representatives at the companies to provide FBI contact information. 
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318D-NY-2142524 Serial 5 


FD-1057 (Rev. 5-8-10) 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 
Title: (U) Closing Communication Date: 05/17/2017 


From: NEW YORK 
NY-C1 


PP Y bé 





も 7C 
Case ID #: 318D-NY-2142524 (U) Spear-phishing SEC Scam 
Synopsis: (U) To document closing of captioned investigation 


Full Investigation Initiated: 03/08/2017 


Details: 


Captioned investigation was opened on March 8, 2017 based on 
reports from Fireeye which claimed certain of their clients, which 
were publicly traded companies, were targeted in a phishing scam. The 
specific targets within the companies were individuals with 
responsibility over financial reporting, and the phishing emails 
claimed to be from an official Securities and Exchange Commission 
(SEC) account. The SEC opened their own civil investigation, and the 
United States Attorney's Office for the Eastern District of New York 
(EDNY) concurred with the opening of a parallel criminal 
investigation. Investigation was to focus on trading patterns in the 


stock of the victim companies, to determine if the information was 





used for profitable trading. 


Due to confidentiality agreements, Fireeye could not release the 
names of their clients who were targeted. Fireeye reached out to the 


customers and advised the FBI had an open investigation, and 





instructed clients to contact writer should they be willing to 





cooperate with the investigation. One client, contacted b7E 





writer, and advised they were targeted but stopped the intrusion 
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UNCLASSIFIED 


Title: (U) Closing Communication 
Re: 318D-NY-2142524, 05/17/2017 





before any information was taken. After several additional attempts 


to reach out to clients, no other companies have come forward as 





willing to cooperate in the investigation. 


Since there are no identified victims, and only one potentia 











victim identified, there are no trading records to review. Similarly, 








with no victims coming forward, there are no additional emails to 








review. The identity of the group responsible for the hack is 


unknown, but believed to be a group previously identified as 











FIN]. FIN7 is believed to be an Eastern European criminal enterprise, 





but their location is unknown. 





Since there are no investigative leads to follow, and no identified 
victims, EDNY declined prosecution of the case. Should any victims 
decide to contact the FBI, the investigation could be re-opened. 


All logical and reasonable investigative steps were 
taken. Sufficient personnel and financial resources were 
expended. All investigative steps and methods have been 
completed. There were no leads set, and no evidence collected. 


Writer requests captioned investigation be closed due to 
prosecutorial declination. 
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Case ID #: 318D-NY-2142524 (U) Spear-phishing SEC Scam 





Synopsis: (U) To open a new full investigation related to a 
spear-fishing SEC scam. 


Full Investigation Initiated: 03/08/2017 


Enclosure(s): Enclosed are the following items: 
1. (U) FORTUNE Article 


Details: 


An article on the FORTUNE website reported a cyber spear-fishing 





scam in which emails, purportedly from the Securities and Exchange 


Commission, were sent to companies in an effort to obtain inside 





information. The messages specifically targeted individuals in 
positions responsible for SEC filings. When individuals clicked on 
instructions within a MICROSOFT Word file in the emails, the attackers 
were granted access to internal networks. FORTUNE reported that the 





spear-phishing attack was discovered in February by a company called 




















FIREEYE, which was able to intercept some of the emails. FIREEYE 

















believed the attackers to be an Eastern European crime syndicate 








attempting to achieve financial gain by trading based on inside 





information. 
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